dcrat | de41228ba602fbd9cf22561197422b343830637358559cf649e3665bd87b89cd

Analysis

max time kernel
145s
max time network
149s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 02:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_de41228ba602fbd9cf22561197422b343830637358559cf649e3665bd87b89cd.exe
Size

1.3MB
MD5

970c2a20a0fa0cec67f711ba1db3833d
SHA1

daf30f8dd4df6034fb9bb5237f4ab63b3304617f
SHA256

de41228ba602fbd9cf22561197422b343830637358559cf649e3665bd87b89cd
SHA512

4337b8a6133189518562d0390ddf10c9223c7f078aa6b9053246e97ed5c7c41f50afdde06e6a237438f2bba26a3ddf5e437f03d5434c0afb625e5d49c7bc356b
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	2872	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	2872	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2872	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	2872	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	2872	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2496	2872	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	2872	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	752	2872	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	2872	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	2872	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2872	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	276	2872	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	2872	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	2872	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1436	2872	schtasks.exe	34

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000018b68-9.dat	dcrat
behavioral1/memory/2824-13-0x0000000000AF0000-0x0000000000C00000-memory.dmp	dcrat
behavioral1/memory/2140-59-0x0000000000CD0000-0x0000000000DE0000-memory.dmp	dcrat
behavioral1/memory/2840-125-0x0000000000EF0000-0x0000000001000000-memory.dmp	dcrat
behavioral1/memory/3040-305-0x00000000003F0000-0x0000000000500000-memory.dmp	dcrat
behavioral1/memory/2652-365-0x0000000001280000-0x0000000001390000-memory.dmp	dcrat
behavioral1/memory/996-661-0x0000000000880000-0x0000000000990000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1016	powershell.exe
1456	powershell.exe
2900	powershell.exe
2104	powershell.exe
1244	powershell.exe
1988	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2824	DllCommonsvc.exe
2140	explorer.exe
2840	explorer.exe
2280	explorer.exe
2900	explorer.exe
3040	explorer.exe
2652	explorer.exe
836	explorer.exe
2372	explorer.exe
2576	explorer.exe
2068	explorer.exe
996	explorer.exe

Loads dropped DLL 2 IoCs

pid	Process
2756	cmd.exe
2756	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
25	raw.githubusercontent.com
35	raw.githubusercontent.com
4	raw.githubusercontent.com
12	raw.githubusercontent.com
19	raw.githubusercontent.com
22	raw.githubusercontent.com
32	raw.githubusercontent.com
39	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
16	raw.githubusercontent.com
29	raw.githubusercontent.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Journal\fr-FR\services.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\fr-FR\c5b4cb5e9653cc	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Prefetch\ReadyBoot\System.exe	DllCommonsvc.exe
File created	C:\Windows\Prefetch\ReadyBoot\27d1bcfc3c54e0	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_de41228ba602fbd9cf22561197422b343830637358559cf649e3665bd87b89cd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3048	schtasks.exe
2908	schtasks.exe
2576	schtasks.exe
752	schtasks.exe
1764	schtasks.exe
276	schtasks.exe
2752	schtasks.exe
2612	schtasks.exe
2496	schtasks.exe
2504	schtasks.exe
2784	schtasks.exe
1664	schtasks.exe
2668	schtasks.exe
2596	schtasks.exe
1436	schtasks.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2824	DllCommonsvc.exe
1456	powershell.exe
2900	powershell.exe
1244	powershell.exe
1988	powershell.exe
1016	powershell.exe
2104	powershell.exe
2140	explorer.exe
2840	explorer.exe
2280	explorer.exe
2900	explorer.exe
3040	explorer.exe
2652	explorer.exe
836	explorer.exe
2372	explorer.exe
2576	explorer.exe
2068	explorer.exe
996	explorer.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	2824	DllCommonsvc.exe
Token: SeDebugPrivilege	1456	powershell.exe
Token: SeDebugPrivilege	2900	powershell.exe
Token: SeDebugPrivilege	1244	powershell.exe
Token: SeDebugPrivilege	1988	powershell.exe
Token: SeDebugPrivilege	2140	explorer.exe
Token: SeDebugPrivilege	1016	powershell.exe
Token: SeDebugPrivilege	2104	powershell.exe
Token: SeDebugPrivilege	2840	explorer.exe
Token: SeDebugPrivilege	2280	explorer.exe
Token: SeDebugPrivilege	2900	explorer.exe
Token: SeDebugPrivilege	3040	explorer.exe
Token: SeDebugPrivilege	2652	explorer.exe
Token: SeDebugPrivilege	836	explorer.exe
Token: SeDebugPrivilege	2372	explorer.exe
Token: SeDebugPrivilege	2576	explorer.exe
Token: SeDebugPrivilege	2068	explorer.exe
Token: SeDebugPrivilege	996	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2888 wrote to memory of 2416	2888	JaffaCakes118_de41228ba602fbd9cf22561197422b343830637358559cf649e3665bd87b89cd.exe	30
PID 2888 wrote to memory of 2416	2888	JaffaCakes118_de41228ba602fbd9cf22561197422b343830637358559cf649e3665bd87b89cd.exe	30
PID 2888 wrote to memory of 2416	2888	JaffaCakes118_de41228ba602fbd9cf22561197422b343830637358559cf649e3665bd87b89cd.exe	30
PID 2888 wrote to memory of 2416	2888	JaffaCakes118_de41228ba602fbd9cf22561197422b343830637358559cf649e3665bd87b89cd.exe	30
PID 2416 wrote to memory of 2756	2416	WScript.exe	31
PID 2416 wrote to memory of 2756	2416	WScript.exe	31
PID 2416 wrote to memory of 2756	2416	WScript.exe	31
PID 2416 wrote to memory of 2756	2416	WScript.exe	31
PID 2756 wrote to memory of 2824	2756	cmd.exe	33
PID 2756 wrote to memory of 2824	2756	cmd.exe	33
PID 2756 wrote to memory of 2824	2756	cmd.exe	33
PID 2756 wrote to memory of 2824	2756	cmd.exe	33
PID 2824 wrote to memory of 1016	2824	DllCommonsvc.exe	50
PID 2824 wrote to memory of 1016	2824	DllCommonsvc.exe	50
PID 2824 wrote to memory of 1016	2824	DllCommonsvc.exe	50
PID 2824 wrote to memory of 1456	2824	DllCommonsvc.exe	51
PID 2824 wrote to memory of 1456	2824	DllCommonsvc.exe	51
PID 2824 wrote to memory of 1456	2824	DllCommonsvc.exe	51
PID 2824 wrote to memory of 2900	2824	DllCommonsvc.exe	52
PID 2824 wrote to memory of 2900	2824	DllCommonsvc.exe	52
PID 2824 wrote to memory of 2900	2824	DllCommonsvc.exe	52
PID 2824 wrote to memory of 1988	2824	DllCommonsvc.exe	54
PID 2824 wrote to memory of 1988	2824	DllCommonsvc.exe	54
PID 2824 wrote to memory of 1988	2824	DllCommonsvc.exe	54
PID 2824 wrote to memory of 1244	2824	DllCommonsvc.exe	56
PID 2824 wrote to memory of 1244	2824	DllCommonsvc.exe	56
PID 2824 wrote to memory of 1244	2824	DllCommonsvc.exe	56
PID 2824 wrote to memory of 2104	2824	DllCommonsvc.exe	57
PID 2824 wrote to memory of 2104	2824	DllCommonsvc.exe	57
PID 2824 wrote to memory of 2104	2824	DllCommonsvc.exe	57
PID 2824 wrote to memory of 2140	2824	DllCommonsvc.exe	62
PID 2824 wrote to memory of 2140	2824	DllCommonsvc.exe	62
PID 2824 wrote to memory of 2140	2824	DllCommonsvc.exe	62
PID 2140 wrote to memory of 2124	2140	explorer.exe	64
PID 2140 wrote to memory of 2124	2140	explorer.exe	64
PID 2140 wrote to memory of 2124	2140	explorer.exe	64
PID 2124 wrote to memory of 1644	2124	cmd.exe	66
PID 2124 wrote to memory of 1644	2124	cmd.exe	66
PID 2124 wrote to memory of 1644	2124	cmd.exe	66
PID 2124 wrote to memory of 2840	2124	cmd.exe	67
PID 2124 wrote to memory of 2840	2124	cmd.exe	67
PID 2124 wrote to memory of 2840	2124	cmd.exe	67
PID 2840 wrote to memory of 1784	2840	explorer.exe	68
PID 2840 wrote to memory of 1784	2840	explorer.exe	68
PID 2840 wrote to memory of 1784	2840	explorer.exe	68
PID 1784 wrote to memory of 2336	1784	cmd.exe	70
PID 1784 wrote to memory of 2336	1784	cmd.exe	70
PID 1784 wrote to memory of 2336	1784	cmd.exe	70
PID 1784 wrote to memory of 2280	1784	cmd.exe	71
PID 1784 wrote to memory of 2280	1784	cmd.exe	71
PID 1784 wrote to memory of 2280	1784	cmd.exe	71
PID 2280 wrote to memory of 2088	2280	explorer.exe	72
PID 2280 wrote to memory of 2088	2280	explorer.exe	72
PID 2280 wrote to memory of 2088	2280	explorer.exe	72
PID 2088 wrote to memory of 1892	2088	cmd.exe	74
PID 2088 wrote to memory of 1892	2088	cmd.exe	74
PID 2088 wrote to memory of 1892	2088	cmd.exe	74
PID 2088 wrote to memory of 2900	2088	cmd.exe	75
PID 2088 wrote to memory of 2900	2088	cmd.exe	75
PID 2088 wrote to memory of 2900	2088	cmd.exe	75
PID 2900 wrote to memory of 2888	2900	explorer.exe	76
PID 2900 wrote to memory of 2888	2900	explorer.exe	76
PID 2900 wrote to memory of 2888	2900	explorer.exe	76
PID 2888 wrote to memory of 1560	2888	cmd.exe	78

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_de41228ba602fbd9cf22561197422b343830637358559cf649e3665bd87b89cd.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_de41228ba602fbd9cf22561197422b343830637358559cf649e3665bd87b89cd.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2416
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2824
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1016
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1456
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2900
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\fr-FR\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1988
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Prefetch\ReadyBoot\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1244
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Adobe\Updater6\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2104
    - - C:\Users\All Users\Adobe\Updater6\explorer.exe
        
        "C:\Users\All Users\Adobe\Updater6\explorer.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2140
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LZh5ueQJla.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2124
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1644
        
        C:\Users\All Users\Adobe\Updater6\explorer.exe
        
        "C:\Users\All Users\Adobe\Updater6\explorer.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MsSi1KDKJG.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1784
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2336
        
        C:\Users\All Users\Adobe\Updater6\explorer.exe
        
        "C:\Users\All Users\Adobe\Updater6\explorer.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2280
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\T7KIMELUbd.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2088
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1892
        
        C:\Users\All Users\Adobe\Updater6\explorer.exe
        
        "C:\Users\All Users\Adobe\Updater6\explorer.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iRE9Vp3kbL.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2888
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1560
        
        C:\Users\All Users\Adobe\Updater6\explorer.exe
        
        "C:\Users\All Users\Adobe\Updater6\explorer.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3040
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\x7ZYnkvAkq.bat"
        14⤵
        
        PID:280
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2768
        
        C:\Users\All Users\Adobe\Updater6\explorer.exe
        
        "C:\Users\All Users\Adobe\Updater6\explorer.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2652
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Bf5uratM3O.bat"
        16⤵
        
        PID:784
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1940
        
        C:\Users\All Users\Adobe\Updater6\explorer.exe
        
        "C:\Users\All Users\Adobe\Updater6\explorer.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:836
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EUl4QLAvAv.bat"
        18⤵
        
        PID:1548
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2396
        
        C:\Users\All Users\Adobe\Updater6\explorer.exe
        
        "C:\Users\All Users\Adobe\Updater6\explorer.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2372
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jFR8woBO6B.bat"
        20⤵
        
        PID:812
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:1872
        
        C:\Users\All Users\Adobe\Updater6\explorer.exe
        
        "C:\Users\All Users\Adobe\Updater6\explorer.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2576
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Nflxmifgtk.bat"
        22⤵
        
        PID:1312
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:916
        
        C:\Users\All Users\Adobe\Updater6\explorer.exe
        
        "C:\Users\All Users\Adobe\Updater6\explorer.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2068
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iVopF68B7o.bat"
        24⤵
        
        PID:2244
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2468
        
        C:\Users\All Users\Adobe\Updater6\explorer.exe
        
        "C:\Users\All Users\Adobe\Updater6\explorer.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:996
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QLJ4q7S46F.bat"
        26⤵
        
        PID:2776
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\providercommon\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Journal\fr-FR\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\fr-FR\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Journal\fr-FR\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Windows\Prefetch\ReadyBoot\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Windows\Prefetch\ReadyBoot\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Adobe\Updater6\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Updater6\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Adobe\Updater6\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0a7529a56a50ea1375cee7de1fa076fb

SHA1
631e22acb7cde55a41354c4bdd07f360c772f0b8

SHA256
c20b2769a5e23e6353cb63c7f0c2fbd814c1480550ab53ca5a77f6e6fc5b16d6

SHA512
0f4ad4eb2dfacc4a244f8818c121ebbd2d7ac20c0716219c45ce8ce170a8f487810cf9acc7727c07f2e763cee3095c856db411a6a2955115ff5757f421a7e1f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0e0e37b405f23eaf20cb10180ba9af2d

SHA1
fa9f49ba201180bf2cc8e8dcf36f862a16dc07e6

SHA256
3d6419e3ec1ee2a77ea58e1428e3a47e9d0b8630a97770a8e689f01fa6cb0890

SHA512
e47691885a381bd984c8d733fa8f505a1c8a491262518c40ff0d228834af8594cf8181d78e1ae84d9695d71666616ec8994d1583e2dafd31100d6cc1d12e1132

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
645f3e1cbab3719bbba2c44fd127c5c8

SHA1
1a1c2edea0336427fbca0461552b401b96e289f9

SHA256
f9f6ebbf4fe55673a74237e5fb17c30643c3f5a34db8003632d2091083ac7df6

SHA512
07d1608066b44099901ab3fc25d4a215b766fb2af3ebc3352a4720051c84b9edf745262348fcbaa489b47595979445beb075fbda988fb4b6d54dcd9eabef1f72

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fe4c438161d5ca8ed60c4919d0087cb5

SHA1
43dd449a6c7af1050530c4519bdb31cc8c990c74

SHA256
b6e460481bbf2c75a16101f9b2b420993fef633832d923bc900b8176e3b6e58b

SHA512
1b75569e0fc8712029613ea4d0f71715b996840b1b410b99543629ecab1707fd0fdaab770a3da6356ff77798ff597ad1427ba4e17c370c2e09d9f3d7852fcdb0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b1addad78d77a83e7fb0a472ff8757f5

SHA1
61b13b817ca43d6bdcef3d27aa7242248113a5d9

SHA256
7f5cf9cc6484917cf9da2a19ffbe25515832257d2a4e02f59cba5d9c484b8ec6

SHA512
6428650cdacc918455d2ce2f7f01b268b787b3f38fb8194156b6bbef66152699662af7834a029f5bb87c88129b4636eb3c1cba908c2548b3978b4d91b14a1bb7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
22affb6a3d70bb9682be86218a65da9f

SHA1
986a13032e90614024e649f784ffc76f7b23419f

SHA256
cc7d4f87b22eeaed4849617953fe420af2b30654d44903924325dad16bcbbcd2

SHA512
85dfcc28adadd20e1965570748c6c1df180c48f42592ddce0005c219e620ff7963b2516905dd4f4fa99b392908739c05460a34f54580a2bd5ea743cb7c94d3fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4f9cbcb723c857c604ad65ccaee4379a

SHA1
c567f3a2d30071793cefee85ea79a4b6c3a3a43b

SHA256
9ecd0af375068e2823dd82b11554f55bd0b16124d34e43aa71c76f52fbb84b18

SHA512
a0c7907a5afec53124a1970dd6ea33b6c45d7bc2251a7c417f9de87d6627303ecb307bba98d0568355fd7526515a544f9de69b922b94e29dbc42b73b0b83646a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cd2934274bbb04b47fac28fdbff6a10c

SHA1
39d50d9626b582049fc9fb41a891aacab1911120

SHA256
1a921b902df60a172e69b2941540f0af8cf03fe51a53606b8bf9a5240bf05399

SHA512
1a99bb1b616bfb90d3e9f9fce459741eff2d2b47c28e51b4b5036ba8c1914193ed913c1728383aff19b510b48d1cee0dabf951c3a16f056c8a67eda7a5c8ec2f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ab41aa5ab220361bf7a4250a4cee75b5

SHA1
deb69c84e00ecc555b88149a3305b264e2d9de08

SHA256
28c8bc3d2c43c9197f8f90e11ba5cf9e3ba0d1d2f3eaf67f274f2321cce85884

SHA512
df14f9476c6daef0b9aa631226995a99bfd307d9f99d78d47524774977b21c8c30f1365193eaee74acb0e51d76f8aa532c1706d51018c5a71a4a01db8d83b42e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d5c35992d3b5c10c035e8b7eb5469147

SHA1
38b50efced34010e578f531915a08f623f1c0401

SHA256
822ea34f105d4e75008b56c79c01e132b47dfd6fbe56c9586f848b119d93a8cc

SHA512
79df46757f48296c7c2ecb0bbb2c97ee9591ceba8eb2b2ae0e741d0fba799a0e42c2a843dd2a9858f7cd68d6c8ab37eefc4503abc734eb9b7f00c4e8477922e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bf5uratM3O.bat

Filesize
211B

MD5
827620332ca53fd03382a5b081a55e33

SHA1
26989b1ef95cba16f99d5c12085cd0bd6c490323

SHA256
9e08b0a055685aaa29ede48b52fc749abd1589974cb5426a767c7f6358baa56b

SHA512
d16ac46188deec9eab0ad4bd347d2bacb944decd3e161bcbd85ba02c7aaea5cd9c7778a8f5adf964ac82b18c0d99eb65936633e7633d4d0c7483bc2e03bcf84c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE810.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EUl4QLAvAv.bat

Filesize
211B

MD5
dd83738c3ad80062f71cf4edaaa4ddf9

SHA1
bc9f32d02ad28ad6d3fb28235059f277138dfae3

SHA256
bc108b4dbdd508cc75e0c46b6fc874256e0333a7821a99e16517298bfbf9a764

SHA512
9a1ce50d50a9e145ca362a2af219105f18b372ffd02ce69680b3b3e842b6b0ab0c59a34509af7d30fb3eb1fee39dea046cb9eec57a6e754c04ce334cd2b88c9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\LZh5ueQJla.bat

Filesize
211B

MD5
2c2337f03bb3d2b0900abc052ca4e0d6

SHA1
b233f421ae5d755dbd4cf732e6eb19feb0b1cc12

SHA256
7df156a16eb9ad587868a0f24f07a97d355238b1f9ca79180dfe225ed3ef85e0

SHA512
a5d2d98fc3f281d75fb9616e9490c56cdb7b57abb09054e524d68a158d7176788871fee86fab70aa36215207c9dba9245a7dc3fbc377355467e8d3dd91dda25d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MsSi1KDKJG.bat

Filesize
211B

MD5
c37f20a1841507a0075394d2feee157c

SHA1
76282bbceed1fa0ace68d6ee97cfe2f8a97d8dcf

SHA256
8cc1706e217a2fb391a42c16bd087aa8443fc1bc6023c985217c6fa5cf2d41de

SHA512
79028ee1e16573180ac6eeca2bf57e3f2ec909914dad11992f43b61420a9a6f2f2d19836319d67943ebaf5c7c2d6edbd2080bd1aa5a23faeaf1d0d767bfaabda

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nflxmifgtk.bat

Filesize
211B

MD5
e8233f0722652f58fff6a20c223c1c4a

SHA1
89057ac72eeb5fb3237be36d209fbd9c51262981

SHA256
b5f343086156e642e04e6f00ce1b54efe85e969eb05f9b8dcf61a9673fabe68d

SHA512
35bf54283e9a8d6f5e3919ad6ca1e845ecc96b4d4ef31ce9aca17fb25f33f7c9a3e9ad5c7fdbc04123d9ae68dde61345ee776e5e599fe808ec82ec408557e599

Download Submit
C:\Users\Admin\AppData\Local\Temp\QLJ4q7S46F.bat

Filesize
211B

MD5
3ac2ee2d00c224cd71a945dda8608bc2

SHA1
7a7f1b5a214b9db9fdd98c81e4ce1158b26549e6

SHA256
7c157451fffbe8b32311e2e364d6f01bb2a541feed0a3d7155320b953b75e4bb

SHA512
c5a9d47a6a2e16f03548a4f6350cda3fd8eebd92f1198265131c0b447448bb7fa409da198d4a0e5157088692443ffa8f91a4d724794cae7cace1d152aae933f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\T7KIMELUbd.bat

Filesize
211B

MD5
77b92bdf5de0c8828a816dd719d04651

SHA1
b134936d0e5b6d6f8bd17f59dd383f6f2b4f9e65

SHA256
f155ea95d16fa4f7a02b8091af89de07eb159277aeffa63347391335be481051

SHA512
cb43f60250af1202e2e0e1521abd8de9c6711c48168e4c1eb12cc3b14a8f1632da0e2915fa0bbf7a4d1a0d33f18b64241277f15b5e370c0b75a82b4e333a9984

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE832.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\iRE9Vp3kbL.bat

Filesize
211B

MD5
0a27391693e08bc0ed3cfef782ac3eb1

SHA1
08d8911e1c458e015ddeae693f5014d753223b68

SHA256
d1391af59b38716e4e3c782fe4c93f8f7aaf751514e1d6555d7bfa85705d22ab

SHA512
81975f898ca519d7a03c1618d4c1fe3f12709c5abae785fa969a145cf1b9f1dbb3aaf4d4e7868e17ac71ab53649524a856f05b2d18086413105d5fc93462e1b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\iVopF68B7o.bat

Filesize
211B

MD5
86904c05d2a8a5cfd38476cc07218ce1

SHA1
56cdd976e998a44e744d8cd1201456321b1222f6

SHA256
43617246cd8ae561fa6a42317ec3a4601811174999975bebeea05e1ca1f93f44

SHA512
0f6eee6ab4d07d9ba2983c3b635a13c24bcbdb563598c87fce1943cb857893639b3e526d9d8986cbf83b669db204807dcefadeb6f7da23731e72a1d240045511

Download Submit
C:\Users\Admin\AppData\Local\Temp\jFR8woBO6B.bat

Filesize
211B

MD5
2792da2a726827008a8e9b8330495d3d

SHA1
c07295c53ca9ff22b7ee2d956b804d3cd638b572

SHA256
185cd3d0027597110f6ac5451131a61eada7956cdc4a6af93086cd056c09f917

SHA512
52a150429dc7430482a06094dd9c1f335e17f48b4e15468344028372c83bcb340807cf1c23137e2ab84d56e807ade49069e6c5845f1260ef1f9eeea1c2e82220

Download Submit
C:\Users\Admin\AppData\Local\Temp\x7ZYnkvAkq.bat

Filesize
211B

MD5
dcf7076051642ec607f765d2070d2b90

SHA1
47c264260c99e2fbb98576e3c82dd625414a0e81

SHA256
3c2b31b1b1e96f101e6074fa253d12cbc0558fd01902eef201ed2707173cf80a

SHA512
1cbd1eb02599893eb3bfe5d67a3500e647cf47311a0ce9a6df3ead840634efe4b01fb0b52fc19dd3360a649de5117192917e13a6f42487c735b45d23aeec7e45

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d86018e58016551bfb2f270c92e78e53

SHA1
2d310b69201a5d7f5aad6f037c2fd0051d11b520

SHA256
d7869f422caef1c1429bb4d974d05b02f9d27dc50a3fd2eae33da2e20d7fc8b7

SHA512
ff3ee0fdb5ee2264fc3d6ef0f6aeb9d63c8cb387667b6f480262e5d2aada3c3940706d23ff6174429a61f798b2fa6a7d663cc643d0df2442059f395b10f49e32

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/996-662-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/996-661-0x0000000000880000-0x0000000000990000-memory.dmp

Filesize
1.1MB

Download
memory/1456-43-0x0000000001D90000-0x0000000001D98000-memory.dmp

Filesize
32KB

Download
memory/1456-42-0x000000001B560000-0x000000001B842000-memory.dmp

Filesize
2.9MB

Download
memory/2140-59-0x0000000000CD0000-0x0000000000DE0000-memory.dmp

Filesize
1.1MB

Download
memory/2140-66-0x0000000000150000-0x0000000000162000-memory.dmp

Filesize
72KB

Download
memory/2280-185-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/2652-365-0x0000000001280000-0x0000000001390000-memory.dmp

Filesize
1.1MB

Download
memory/2824-14-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/2824-13-0x0000000000AF0000-0x0000000000C00000-memory.dmp

Filesize
1.1MB

Download
memory/2824-15-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/2824-16-0x00000000003D0000-0x00000000003DC000-memory.dmp

Filesize
48KB

Download
memory/2824-17-0x00000000003F0000-0x00000000003FC000-memory.dmp

Filesize
48KB

Download
memory/2840-125-0x0000000000EF0000-0x0000000001000000-memory.dmp

Filesize
1.1MB

Download
memory/2900-245-0x00000000002D0000-0x00000000002E2000-memory.dmp

Filesize
72KB

Download
memory/3040-305-0x00000000003F0000-0x0000000000500000-memory.dmp

Filesize
1.1MB

Download